Setting up a UK limited company involves two separate identity checks that, understandably, are often confused. Identity verification under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) and anti-money laundering (AML) due diligence under the Money Laundering Regulations often occur simultaneously and use similar documents, but they are separate processes in law. It is important to understand that, as we will explain in this article, completing one check does not satisfy the other.
- ECCTA verification is a personal obligation; AML CDD is a firm-level obligation. Mixing them up leaves both individuals and agents exposed to separate sanctions.
- One ECCTA check creates a reusable personal code; AML due diligence must be refreshed and monitored throughout the client relationship.
- ACSPs can complete ECCTA verification but must still run full AML CDD, maintaining two distinct sets of records for the same client.
- Documents such as passports often serve both checks, yet AML requires a broader risk assessment, including ownership structure and commercial rationale.
- High-risk jurisdictions automatically trigger Enhanced Due Diligence, but ECCTA verification remains identical regardless of jurisdictional risk.
What Are the Two Checks?
The two checks are as follows:
AML due diligence (under MLR 2017) – this is an obligation placed on the regulated firm, such as a formation agent, not on the individual. It is a structured risk assessment conducted before the firm can act for a client, designed to prevent money laundering and other financial crimes. It continues throughout the business relationship.
Companies House identity verification (under ECCTA 2023) – a personal legal requirement for every director and PSC. It confirms who they are so their identity can be recorded on the public register. It is completed once, and a personal code is issued for all future filings.
Companies House Identity Verification Check
The first check is Companies House identity verification under ECCTA. This confirms your identity so it can be recorded on the public register. It is a personal requirement placed on directors and Persons with Significant Control (PSCs).
| Companies House identity verification | Detail |
|---|---|
|
Legal basis |
ECCTA 2023 |
|
Who must comply |
All new and existing directors and PSCs |
|
Who carries it out |
The individual directly, or through an ACSP |
|
Is it a one-off? |
Yes – personal code issued and reused |
|
Consequence of non-compliance |
Criminal offence; filings blocked; register annotation |
AML Due Diligence Check
The second check is AML due diligence under the Money Laundering Regulations. This is a risk assessment carried out by the formation agent or other regulated firm before they can act for you. It is designed to prevent money laundering and financial crime.
| AML due diligence (MLR 2017) | Detail |
|---|---|
|
Legal basis |
Money Laundering Regulations 2017 |
|
Who must comply |
The regulated firm — not the individual client |
|
Who carries it out |
The firm, as part of its CDD obligations |
|
Is it a one-off? |
No — ongoing throughout the relationship |
|
Consequence of non-compliance |
Regulatory sanctions, civil penalties, possible criminal prosecution |
What Does the Companies House Identity Verification Process Involve?
Identity verification under ECCTA is a legal requirement placed on individuals. Every director and PSC must confirm who they are before or at the point their details are added to the Companies House register. There is no exemption based on nationality or location.
From 18th November 2025, verification became mandatory for all new directors and PSCs. Existing directors must verify before their next confirmation statement due after that date. New PSCs must provide their personal code within 14 days of being notified to the register.
Verification can be completed directly or through an Authorised Corporate Service Provider (ACSP). Once verified, Companies House issues a personal code used for all future filings. In most cases verification is a one-off exercise. Not complying is a criminal offence. If you have not verified, you cannot make filings, incorporate a new company, or continue acting as a director. Unverified status is also annotated on the public register, visible to banks, investors, and anyone searching for your company.
What Does AML Due Diligence Involve?
Anti-money laundering due diligence is an obligation placed on the regulated firm. Formation agents are classified as Trust or Company Service Providers (TCSPs) under MLR 2017. They must carry out Customer Due Diligence (CDD) before acting for a client, even for a one-off company formation. CDD requires the firm to identify and verify the client, understand the purpose of the business relationship, identify any beneficial owners, and monitor the relationship on an ongoing basis. It is not a single document check. It is a structured risk assessment that considers the full picture of who the client is and what they intend to do.
If a higher risk is present, for example where the client is a Politically Exposed Person (PEP) or has connections to a high-risk jurisdiction, Enhanced Due Diligence (EDD) applies. This involves additional steps, including verifying the source of funds and applying closer scrutiny throughout the relationship. Even where identity verification has been completed without issue, the EDD obligation remains fully in force.
KYC (Know Your Customer) and due diligence is part of anti-money laundering. KYC identifies and risk-rates the client. CDD is the broader risk assessment. Both are part of the firm’s MLR 2017 obligations, and neither is satisfied by completing ECCTA identity verification.
Why Do These Checks Often Confuse?
Both processes often ask for a passport or driving licence. A client who has handed over their passport for identity verification may assume the formation agent has everything it needs. In most cases, that is not correct.
The formation agent may use the same document as part of AML due diligence, but for a different legal purpose. For Companies House, the document confirms identity for the public register. Under MLR 2017, it is part of a wider risk assessment that also considers the nature of the business, the source of funds, and the ownership structure.
AML due diligence requires the firm to understand who owns the business, where the money comes from, and whether the proposed activities are commercially credible. A passport alone does not answer any of those questions.
What Is an ACSP and Why Does It Matter?
An Authorised Corporate Service Provider (ACSP) is a business registered with Companies House that can carry out identity verification on behalf of clients. To register as an ACSP, a business must already be supervised by a recognised UK anti-money laundering supervisory body. When an ACSP verifies a client’s identity for Companies House purposes, it confirms that identity with the Registrar and includes the client’s unique identifier in the filing. This satisfies the ECCTA identity verification requirement.
However, ACSP status does not remove AML obligations. The ACSP must still carry out separate CDD under MLR 2017 for the same client. The two processes can happen simultaneously, using the same documents and through the same firm. But they are legally distinct and the records must be maintained independently.
How Record-Keeping Obligations Differ
For ECCTA identity verification, the individual receives a personal code. The ACSP records its unique identifier against the filing. Companies House holds the verified status on the public register.
For AML purposes, the regulated firm must retain all CDD records, including copies of identity documents, risk assessments, and evidence of any enhanced measures applied. MLR 2017 requires these records to be kept for five years after the end of the client relationship. These records cannot be deleted or destroyed early, even if the client relationship ends before that period has elapsed.
For these reasons, it is important to familiarise yourself with the compliance requirements for company formation, which specify the documentation required when forming a UK company.
What Happens If the Two Checks Are Confused?
For the individual, failing to complete ECCTA identity verification means their appointment cannot be registered. Unverified status is visible on the public register and affects credibility with banks and investors. Criminal liability and financial penalties apply for ongoing non-compliance.
For the regulated firm, failing to carry out adequate AML due diligence exposes the business to enforcement action from its supervisory body, civil penalties, and in the most serious cases, criminal prosecution. Treating ECCTA identity verification as a substitute for CDD provides no regulatory protection.
A formation agent that understands the legal distinction is better placed to handle both checks correctly, maintain the right records, and give clients a clear account of what each party is responsible for. That clarity benefits the client, the firm, and the integrity of the register.
High-Risk Jurisdictions and Identity Verification
Under MLR 2017, a client connected to a high-risk country automatically triggers Enhanced Due Diligence. The firm must apply closer scrutiny to the source of funds, the ownership structure, and the purpose of the transaction.
ECCTA identity verification does not distinguish between jurisdictions. Directors and PSCs from any country verify in the same way. Enhanced AML obligations for high-risk clients remain in full regardless of whether identity verification has been completed.
Our article on high-risk jurisdictions when registering a UK company explains the enhanced obligations that apply in those circumstances.
Final Words
Companies House identity verification and AML due diligence are two separate legal obligations. They exist for different reasons, under different laws, with different consequences for non-compliance. They use similar documents and happen around the same time, which is why they are so often treated as one exercise. They are not. Before you proceed, it is important to understand the proof-of-identity requirements (e.g., proof of address) for setting up a UK company to ensure you have the correct documentation.
Directors and PSCs also need to understand which obligations fall on them personally. Formation agents need to understand which obligations rest with the firm. Neither party can rely on the other check to satisfy their own requirements. Getting this right from the outset avoids delays at incorporation and reduces the risk of compliance failures on both sides.
